Featured Slideshow

In a Dallas courtroom on Thursday, writer and activist Barrett Brown was sentenced to 63 months in prison and was ordered to pay a little more than $890,000 in restitution and fines, according to reports.

Upcoming Live Events

Be sure to stay tuned for breaking news on our 2015 conference and expo, which promises to deliver even more innovative programming and an enhanced showcase of the latest cyber security solutions you must see.

Two known flaws highlight Microsoft patch batch

Microsoft on Tuesday released 12 patches to correct 22 vulnerabilities, including two zero-day bugs, as part of its February security update.

Most experts designated the priority patch to be bulletin MS11-003, which fills four holes, three rated "critical" and one "important," in Internet Explorer. One of the vulnerabilities fixed is publicly known, affecting all supported versions of the browser. Exploit code was posted shortly after Microsoft revealed the flaw in December.

"Even though the attacks have been limited, this vulnerability needs to be patched immediately as future attacks are likely," said Jason Miller, data team manager at Shavlik Technologies, which makes vulnerability management products.

Another major fix is MS11-006, which resolves another publicly known vulnerability, this one in the Windows Shell graphics processor and impacting Windows XP, Vista, Server 2003, and Server 2008. So far, Microsoft has not seen any active attacks.

"The vulnerability could allow remote code execution if a user views a specially crafted thumbnail image," according to the advisory. "An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."

Aside from the remaining nine patches, which drew "important" ratings, Microsoft also announced plans to push out an update to AutoRun, described in an advisory originally released in February 2009, as part of Windows Update. Malware that propagates via the AutoRun capability has become more common in recent months.

"Windows 7 already disables AutoRun for devices such as USB thumb drives, which prevents malware lurking on such drives from loading itself onto computers without user interaction," Angela Gunn, senior marketing communications manager for Microsoft Trustworthy Computing, wrote in a Tuesday blog post. "With the change to the advisory, earlier versions of Windows that receive their updates automatically via Windows Update 'AutoUpdate' will now gain that security-conscious functionality as well."

Microsoft failed to patch any of the five vulnerabilities revealed on Monday by TippingPoint's Zero Day Initiative, which promised roughly six months ago to disclose as soon as Feb. 4 any unfixed bugs that had been reported to the bounty service.

Microsoft reportedly was planning to patch the flaws in Tuesday's update but pulled them for quality assurance reasons.

Also on Tuesday, Adobe patched 68 flaws across its Reader and Acrobat, ColdFusion, Shockwave Player and Flash Player product lines.

SC Magazine arms information security professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.